You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Roy T. Fielding" <fi...@liege.ICS.UCI.EDU> on 1996/07/02 02:24:55 UTC

1.1b5 access.conf

I am puzzled by the example access.conf provided with the distribution --
puzzled because it doesn't seem to be a very good example.  In fact,
I would almost call it a security hole in the sense that it allows
access in an uncontrolled way, without giving an example of how to
control it.  For example, I have the following in my access.conf
which are not represented in 1.1b5:

# All directories not mentioned below are off-limits, but allow
# symlinks to be followed for automounters

<Directory />
AllowOverride None
Options FollowSymLinks
<Limit GET POST PUT DELETE>
order deny,allow
deny from all
</Limit>
</Directory>

# For security reasons, CGI script directories must not allow overrides

<Directory /usr/local/etc/httpd/cgi-bin>
AllowOverride None
Options ExecCGI
<Limit GET POST>
order allow,deny
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
</Directory>
 
# The DocumentRoot is assumed to be under our control

<Directory /usr/local/etc/httpd/htdocs>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes FollowSymLinks IncludesNoExec
<Limit GET>
order allow,deny
allow from all
</Limit>
<Limit POST PUT DELETE>
order deny,allow
deny from all
</Limit>
</Directory>

# likewise the server's own icons directory

<Directory /usr/local/etc/httpd/icons>
AllowOverride None
Options Indexes
<Limit GET>
order allow,deny
allow from all
</Limit>
<Limit POST PUT DELETE>
order deny,allow
deny from all
</Limit>
</Directory>

# User Directories are assumed not to be under control

<Directory /*/public_html*>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET>
order allow,deny
allow from all
</Limit>
<Limit POST PUT DELETE>
order deny,allow
deny from all
</Limit>
</Directory>

==================================================================

Obviously, my defaults (a University site) do not apply everywhere,
but I'd prefer a stricter default setup than what we currently ship.
The question is: are the above restrictions "reasonable", and should we

   a) add them to the access.conf-dist
   b) add them, but commented-out, to the access.conf-dist
   c) not add them at all

This would probably have no effect on existing sites, since most
people just move their old ones over from the prior release.

.....Roy